Category Archives: FreeBSD

ssh-keygen

Scenario; set up ssh keys to machine so that you do not require a password for use with something like scp.

First you need a slave user. If you ‘adduser’ on both machines and pick a user name. Make sure they have a shell account but do not require authentication using a password.

On the remote machine you need to run ssh-keygen when you have logged in as that user. You can do something like – su username. Once you run that you will see in /home/username/.ssh/id_rsa.pub you now have a public key, which you need to copy onto the following file on the remote machine –

/home/username/.ssh/authorized_keys

You then need to ensure permissions are set properly on all the files to the user you created. chmod -R username /home/username/.ssh

Do this on both machines.

You can then – su username on the local machine and try a scp command and it should not prompt you for the password.

 

You can either then run a script via the crontab as that user, or if you like something like this should work –

su username -c “scp -B remotehost:/etc/somefile /tmp”

MailWatch for MailScanner – XML-RPC Error: Invalid return payload:

I was fighting with this error for some time. I’ve fixed it quite a few times, but I forgot again because it’s been so long since I built a new mailscanner / mailwatch machine.

 

The error was this –

mailwatch detail.php XML-RPC Error: Invalid return payload:

 

And then in the logs some of this –

 

XML-RPC: xmlrpc_server::service: http headers already sent before response is fully generated. Check for php warning or error messages

mailwatch http headers already sent before response is fully generated. Check for php warning or error messages

 

Anyway, the fix was to create a php.ini file! Simples..

Simply put – cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini && /usr/local/etc/rc.d/apache24 restart – fixed it for me! Hope it helps someone out there having xmlrpc problems with mailwatch

 

I’m running this with php56-5.6.17 and it works fine for me.

Installing VMWare tools on FreeBSD 10.1

Here are my instructions for ESXI5.5 and VM Version vmx-10

I tried instructions on http://ogris.de/vmware/freebsd10.html but it choked on line 9 with an error. I assume this was instructions for 10.0 only. When manually trying to install them it failed because it could not find perl. I basically changed every reference to perl and then it worked.

Right click the VM and guest, install vmware tools to mount the iso. If you are using web client, right click the VM, All vCenter Actions, Guest OS, Install vmware tools.

On the machine, mount the iso –

mount -t cd9660 /dev/cd0 /mnt

cd /tmp

tar xzf /mnt/vmware-freebsd-tools.tar.gz or if you want to see it –

tar vxzf /mnt/vmware-freebsd-tools.tar.gz

cd vmware-tools-distrib

grep -r “/usr/bin/perl” *

Change all references from /usr/bin/perl –> /usr/local/bin/perl

vi /usr/local/bin/vmware-uninstall-tools.pl (again change to /usr/local/bin/perl)

Now you can run the script –

./vmware-install.pl

You should not get an error (hopefully!!).

FreeBSD Upgrade to new release

I’m still learning about this, but here are my latest instructions that seem to work well for me.
I am going to show you how to upgrade from a 10.0 to 10.1 release.

You can check what you are running by –
uname -a
Firstly, we need to upgrade to the latest version we are using. I do this by the simple –
freebsd-update fetch
then –
freebsd-update install
reboot

Now, we are using the latest 10.0 (EOL in March 2015).
To perform a new release upgrade, we need to run the following command –

freebsd-update -r 10.1-RELEASE upgrade
This will take a while, depending on what you have installed on your machine. I run mailscanner and sendmail and a bunch of tools to filter spam etc. I would say mine takes about 20 minutes.
You will need to accept the changes.

When this finishes it will go through some file changes, from the 10.0 system to the new 10.1 system. You should delete the 10.0 stuff and keep the 10.1 stuff. Make sure you remove any instances of <<<< and >>>> or when you bring the system back up, your services, like sendmail etc, will complain. It’s not a problem, as you can rebuild them, but it might save you some time to make sure the files are correct in the first place.

Once this is complete, run the following command –
freebsd-update install

Then;

reboot

Once the machine comes back up, you will need to run the install command again –
freebsd-update install

At this point, you need to upgrade all your ports and pkg’s. BUT, before you do that, you should read the UPDATING file –
less /usr/ports/UPDATING

I start with my ports, so –

cd /usr/ports
portsnap fetch extract
cd /usr/ports/ports-mgmt/portmaster
make install clean

I then use portmaster to update all ports and there is a bunch of ways you can do this. I like the following command, as I like to see what’s going on –

portmaster -af
You can give it more options, for example -G command prevents all the config options from displaying, but again I need these so I can check I have everything set properly.

If you have packages, then you can run the following command to update these also –

pkg-static upgrade -f

But you might want to upgrade pkg, if you haven’t done so already, to pkgng –

cd /usr/ports/ports-mgmt/pkg
make
make install clean
pkg2ng

Once you are happy, you’ll need to finish off by running the install command for the final time –

freebsd-update install
reboot

When the machine comes back you can run
uname -a

And you should see your new 10.1 release!

Thanks!

FreeBSD 10 source tree missing /usr/src/

I recently installed FreeBSD 10, as I broke my server by trying to install a 32bit ESET av, which is actually all they provide for FreeBSD. Anyway, I couldn’t see anything in the source /usr/src/ so I tried to install it using sysinstall.

# sysinstall
bash: sysinstall: command not found

sysinstall for FreeBSD 10 has been replaced by bsdinstall now, but looking at that it only provides facility to partition. After some reading I found this thread – http://forums.freebsd.org/viewtopic.php?t=29172

I also read this – https://www.freebsd.org/doc/handbook/svn.html

You need to install subversion first –

# cd /usr/ports/devel/subversion

# make install clean

Once you have this installed, you can do a checkout, but you need to find the version of FreeBSD first –

 

# uname -a

FreeBSD mymailfilter.richsphere.local 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014     root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

Check here for the link –

https://svn0.us-west.FreeBSD.org/base/releng/

Mine would be https://svn0.us-west.freebsd.org/base/releng/10.0/

So I ran this – svn checkout https://svn0.us-west.freebsd.org/base/releng/10.0/ /usr/src/

You will need to accept the security certificate on first go.

In my case I needed this to compile sendmail with ssl support, which is a post I created some time ago. You’re welcome to read that, if you need, here — http://richsphere.co.uk/?p=23

 

Thanks for reading!

 

Remove the passphrase from the certificate.

I installed a certificate for apache to enable SSL on a website. To create the CSR for the authority it asks for a passphrase.

When you install the certificate and restart the httpd service it asks for the passphrase, so it needs to be removed from the private key.

 

 

To do this use the following command:

openssl rsa -in securesite.domain.net.uk.key -out securesite.domain.net.uk.nopass.key

It should ask for the pass phrase again but it will save it as the nopass version.

Make sure you change your ssl.conf file to use the new file:

SSLCertificateKeyFile “/path/to/certficates/securesite.domain.net.uk.nopass.key”

 

Installing TLS for Sendmail on FreeBSD

Installing TLS on sendmail Freebsd  –

cd /usr/ports/security/cyrus-sasl2-saslauthd && make install

echo ‘saslauthd_enable=”YES”‘ >> /etc/rc.conf

Start the saslauthd –

/usr/local/etc/rc.d/saslauthd.sh start

Changing sendmail build options –

vi /etc/make.conf

#Add the following –

# SASL (cyrus-sasl v2) sendmail build flags…

SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2

SENDMAIL_LDFLAGS=-L/usr/local/lib

SENDMAIL_LDADD=-lsasl2

# Adding to enable alternate port (smtps) for sendmail…

SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL

 

Once you have all this in place, it’s time to recompile sendmail.

cd /usr/src/lib/libsmutil && make cleandir && make obj && make

cd /usr/src/lib/libsm && make cleandir && make obj && make

cd /usr/src/usr.sbin/sendmail && make cleandir && make obj && make && make install

 

I added my certificates in /etc/mail/certs.

So –

mkdir /etc/mail/certs

add your certificate files in here. A wildcard domain certificate is usually the best to grab.

chmod -R 600 /etc/mail/certs/*

Make sure sendmail is using saslauthd for authentication in /usr/local/lib/sasl2/Sendmail.conf –

pwcheck_method: saslauthd

 

We then need to add the following details on your fqdn.mc file located within /etc/mail/ directory –

 

define(`confAUTH_MECHANISMS’,`PLAIN LOGIN’)dnl

TRUST_AUTH_MECH(`PLAIN LOGIN’)dnl

define(`CERT_DIR’, `/etc/mail/certs’)dnl

define(`confCACERT_PATH’, `CERT_DIR’)dnl

define(`confCACERT’, `CERT_DIR/ca-bundle.crt’)dnl

define(`confSERVER_CERT’, `CERT_DIR/your_certificate.pem’)dnl

define(`confSERVER_KEY’, `CERT_DIR/your_wildcard_key.key’)dnl

define(`confCLIENT_CERT’, `CERT_DIR/your_certificate.pem’)dnl

define(`confCLIENT_KEY’, `CERT_DIR/your_wildcard_key.key’)dnl

DAEMON_OPTIONS(`Port=smtp, Name=MTA’)dnl

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s’)dnl

 

You want to download the ca-bundle.crt from google or here – http://certifie.com/ca-bundle/ca-bundle.crt.txt

cd /etc/mail && make all install restart